Mirai—the malware responsible for creating a massive "botnet" of hacked Internet-connected cameras, digital video recorders, and other devices that interrupted Internet services for many last week—is still in action, according to data from the network security company Arbor Networks. An ever-shifting army of about 500,000 compromised Internet of Things (IoT) devices is still being controlled by Mirai, based on Arbor's tracking of the malware's communications. And multiple command-and-control networks are still directing those devices to attack websites and service providers across the Internet. But as previously predicted, new and improved versions of the Mirai malware—based on the openly-published source code Mirai's alleged author posted on September 30—are now appearing in the " and wreaking additional havoc.
In a blog post, Roland Dobbins, Principal Engineer on Arbor's ASERT Team, noted that "relatively high concentrations of Mirai nodes have been observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain." Devices that are vulnerable to Mirai takeover, he noted, "are typically listening for inbound telnet access on TCP [port] 23 and TCP [port] 2323," and compromised devices communicate via "a remote-control backdoor" that is also present in Mirai, "accessible via TCP/103." Mirai botnets constantly scan the entire Internet for vulnerable devices, so even when a device is rebooted or reset, it can be compromised all over again within 10 minutes.
Dobbins also noted that "multiple threat actor groups are actively working to expand and improve" the attacks that were coded into Mirai, and that "some alterations in the DDoS attack capabilities of at least one Mirai-derived botnet have been observed in the wild."